If a malware was running on this endpoint, the user might not have been aware about the failures.

I suggest to export the alert from the portal to excel, and check the details of the network activities that triggered it, check out which protocols were used and against which resources, maybe it will get a clue.

What about the security log on the endpoint? anything there from this time frame?
do you have defender on this machine? maybe defender noticed something off on this machine during this time frame ?